Sri Lanka is grappling with a significant cyber security crisis following a ransomware attack that has targeted critical Government institutions, shedding light on the nation’s digital vulnerabilities and prompting experts to call for immediate and comprehensive cyber security reforms.
The impact of the attack
Government domains recently fell victim to a ransomware attack, a form of cybercrime where malicious actors encrypt sensitive data and demand payment for its release. While the extent of the damage remains uncertain, the incident underscores serious concerns regarding the security of critical Government information.
Cyber security consultant Asela Waidyalankara expressed concerns over the lack of transparency surrounding the incident and highlighted that the attackers may have gained access to sensitive Government information, potentially putting critical data at risk. This could have repercussions on national security and even carry geopolitical implications.
Waidyalankara stressed that ransomware attacks could lead to significant disruptions, with data held hostage for days or even weeks.
“The concern is that critical Government information is out there now on the dark web. Since this was a ransomware attack, I’m assuming the Government did not pay the ransom and managed to decrypt and get things running, but the problem is they have lost two months of data.
“At least, that’s what we know for now- – we don’t know if the bad guy has more and has only released two months worth of data. These are the open-ended questions we must figure out.
“Don’t forget there are negotiations ongoing with the International Monetary Fund (IMF) – maybe the Finance Ministry has those online and maybe a third party State actor or non-State actor might be curious to know what is going on there and wants that information,” he cautioned.
He went on to say that the public often underestimated the importance of Government data, which, if compromised, could be exploited by malicious actors for various purposes. “The general public is quick to dismiss it, thinking there isn’t anything important that can leak from the Government, but we must understand that these are all information of the State machinery and we don’t know what advantage it can give to somebody or if this information can be sold somewhere. There could even be a geopolitical impact on Sri Lanka.”
Ransomware attacks explained
Waidyalankara elaborated: “Simply explained, ransomware is where someone comes in, holds your data hostage, and says they will only release it to you upon a payment. Just like a real life hostage, except here, it’s your data being held hostage. There is usually a countdown and if you don’t pay, the data will be encrypted so you cannot use it, resulting in the disruption of your operations for days or maybe weeks, depending on the size and scale of the data that was affected.
“The software used to steal your data is a type of malware. Cryptocurrency is the usual method of payment for this sort of cyber crime.”
Waidyalankara urged a more nuanced and strategic approach to cyber security, emphasising the need for a comprehensive national policy and strategy. He called for either a presidential or parliamentary inquiry to not only understand the reasons behind the attack, but also to formulate effective policies and strategies to prevent future incidents.
Lack of cyber security precautions
“We look at these things and think it’s an IT problem and forget about it, but instead we need to take a more nuanced, strategic approach. That is what other countries are doing – they are very mature when it comes to a cyber incident on a national scale, because this is not some company getting breached.
“What’s our policy on this? What’s our strategy on this? These are some of the questions that we need to ask, because this is not the first time that this has happened. In 2022, the ‘LK’ domain was breached and they said they were going to start an investigation, but we never heard about it after that.
“Another concern is that there are projects in the pipeline like the eNIC project where we are going to model ourselves after India’s Aadhaar project. The Government is going to have a huge heap of citizen data and if you’re not following the fundamentals, the security of the project is going to be a big question mark. This is not to say that we don’t need digitisation, we definitely do; it will ensure transparency, efficiency, etc. But in parallel, we always emphasise on security – at the start, from the design phase, from day one. If you don’t do that, you will have catastrophic incidents like this,” he said.
Waidyalankara also highlighted the importance of adhering to existing data protection laws, such as the Personal Data Protection Act No.9 of 2022, while calling for fundamental mistakes to be corrected.
“The Personal Data Protection Act is very clear on how data is managed by an organisation, be it the State or the private sector. We are not even adhering to that. Fundamental mistakes must be corrected. I understand there might be challenges within the State sector and I’m empathetic to that, but this certainly has to be looked at in a very serious manner.”
Additionally, he stressed the significance of Business Continuity Planning (BCP), which ensures that in the event of a security incident, an organisation can quickly recover and restore its services. The absence of robust BCP protocols has been identified as a major issue in Sri Lanka’s cyber security landscape.
“There were no backups and apparently it is due to administrative reasons. I understand from one point of view. I’m not going to be harsh on these Government agencies; the Information and Communication Technology Agency (ICTA) is having an identity crisis. People have left as the brain drain is not only in the private sector. Even in the ICTA, top level technical employees have left. With all that, there might have been issues, I’m not denying that. However, the fact that there was no backup is dangerous.
“In the tech world there is something called the BCP, because sometimes you can’t prevent an incident from happening. What’s most important is how quickly you can get back on your feet, how quickly you can have the services available once again. The technical and process controls are vital in this and I don’t think this has received due attention. I wish there was more emphasis on how this is vital, because the world is changing and data is the new oil.”
Data recovery unlikely
Sri Lanka Computer Emergency Readiness Team (CERT) Chief Information Security Officer Nirosh Ananda cautioned against paying ransoms as there was no guarantee that data would be returned. He emphasised the need for international collaboration to address the aftermath of the attack.
“We haven’t found any sustainable solution so far. There was a ransom demanded, but we are not aware of the amount. We don’t negotiate; generally we don’t advise anyone to pay ransom because there is no guarantee that we will get our data back once we pay the ransom. Even if we get it back, there could be a series of attacks thereafter.
“A total of 5,000 email accounts across all Government departments, including the President’s Office and the Cabinet Office, were subjected to the attack. We have to try other options available to get the data back. We are collaborating with others including international partners and we are trying to see if we can get the data back. However, it is quite unlikely we’ll get it back.”
Noting that ransomware attacks could happen when systems are outdated, Ananda said: “We have to keep the systems up to date to have an advanced way of protecting against ransomware. But even then, we cannot say that we have 100% protection. We could have precautionary measures where, if something happens, we can move seamlessly to another system which is not infected. We need to have a proper plan to respond to these kinds of attacks. Ransomware is a headache for the entire world, not only for Sri Lanka.”
SL’s digital future
Federation of IT Industry Sri Lanka (FITIS) Chief Executive Officer Jayasiri Amarasena stressed that cyber security must evolve as technology rapidly changes.
“We ensure that we secure our digital systems because technology is rapidly changing. Things like Artificial Intelligence (AI), machine language, and quantum computing are on the horizon and all this will benefit not just us but also cyber criminals; it will give them more ways of attacking systems.
“Security is not a one-time thing. It is a process and continuous monitoring is the only way we can protect our systems. If we are going with digital systems, in today’s context, it is essential that we secure them as people will not trust the systems otherwise. Secondly, we will lose our data and all the ensuing disruption will come. I’m saying this from an industry point of view.”
He encouraged a security by design approach, where security is integrated into applications from the outset.
“For applications, security by design is the concept adopted by the industry. You are not only looking at the perimeter defences but defences built into the application itself. That’s the way to go, but you have to be continuously watching the changes in technology. If not, you cannot safeguard your systems as technology is rapidly evolving.”
Sri Lanka has taken positive steps in the realm of cyber security, including the development of an information and cyber security policy and the pending Cyber Security Act. Additionally, private sector initiatives, such as the establishment of security operation centres, reflect a growing recognition of the importance of cyber security in the digital age.
“Sri Lanka has taken many positive steps. There is an information and cyber security policy that was passed by the Cabinet last year and CERT is implementing that. The Ministry of Technology has also come up with the Cyber Security Act and it is now in its final stages. This will help the Government as well.
“The industry itself is taking necessary steps because there are several security operation centres that have come up in the private sector, so all large corporations are considering it seriously because that is the only way to survive in the digital domain. Sri Lanka has the expertise and there is a lot of training going in the cyber security sector.”
As Sri Lanka navigates the aftermath of the ransomware attack, it faces not only the challenge of securing its existing digital systems but also the imperative of instilling trust in these systems among its citizens. The incident serves as a stark reminder that cyber security is not a one-time endeavour but a continuous process essential for the nation’s digital future.